neconyd | e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559

General

Target

e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
Size

80KB
MD5

57f5f9371c3958b32fc9aa2b935df480
SHA1

40d2b22fe370d20e93dadf6d09683ac2d31f987b
SHA256

e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559
SHA512

9aead12a2521916681e1f68dcf244a1bcbb56cd454d39af0544d251eb7ed6bcf986973c6b2d0b4dc6884a87d1e531b3a34b4abbd4d2cf73d07680d373b2053c8
SSDEEP

1536:7d9dseIOcE93bIvYvZEyF4EEOF6N4yS+AQmZcl/52izbR9XwzB:LdseIOMEZEyFjEOFqTiQmOl/5xPvwN

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

C2

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 3 IoCs

pid	Process
2212	omsecor.exe
2612	omsecor.exe
2264	omsecor.exe

Loads dropped DLL 6 IoCs

pid	Process
2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
2212	omsecor.exe
2212	omsecor.exe
2612	omsecor.exe
2612	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2212	2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	28
PID 2384 wrote to memory of 2212	2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	28
PID 2384 wrote to memory of 2212	2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	28
PID 2384 wrote to memory of 2212	2384	e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe	28
PID 2212 wrote to memory of 2612	2212	omsecor.exe	32
PID 2212 wrote to memory of 2612	2212	omsecor.exe	32
PID 2212 wrote to memory of 2612	2212	omsecor.exe	32
PID 2212 wrote to memory of 2612	2212	omsecor.exe	32
PID 2612 wrote to memory of 2264	2612	omsecor.exe	33
PID 2612 wrote to memory of 2264	2612	omsecor.exe	33
PID 2612 wrote to memory of 2264	2612	omsecor.exe	33
PID 2612 wrote to memory of 2264	2612	omsecor.exe	33

C:\Users\Admin\AppData\Local\Temp\e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe
"C:\Users\Admin\AppData\Local\Temp\e09aa83441a046d0ca45c65e39e2f7fbf591bbe77e1a4524c458385e6be8a559N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\omsecor.exe
  C:\Users\Admin\AppData\Roaming\omsecor.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\omsecor.exe
    C:\Windows\System32\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
f97587f7b361193b7db0db38ad4fb970

SHA1
584034a137030cfcee780ef8835c5d7de588e081

SHA256
5b8ff5e52dbea86abceab6c421da3c2a435ed4e48d7a84675d251c84e2d60b47

SHA512
157bd41c8dd5160f3270a02de352136f15368e632cd08573753dc0a81d3eb2179696e8f5daef7cff15735e0ad7a325ba567a9e4f6ff54befe3ebfc9d8457ccf9

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
80KB

MD5
2b43bd852951201c86e9208f528b83e5

SHA1
bc4c432253a227be9d228594ed6e016dd354da22

SHA256
15e24e52673ec3f55f0fa6537986dd2ff3e55f00cd8b7a29b458f33e2f99206b

SHA512
bf9be0683b9c6ac8212f65a87a7abe1c03cb7c34884f09aa9040d3cc0e6ba1ec49a793eabe6bddf502626bdb647dcd9399f9db2b21d136976076e7823cda0e48

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
80KB

MD5
1812010e917df5eb4c995894f6d5c66e

SHA1
0a35bd48987db596dc4db48b51c0765599968a39

SHA256
8e63b7dd45f5200e0cb320763822768a6a56b623f2b1895d784b417ca6ea5dbc

SHA512
9dbd0fd897d20736d3228cab97b027862f2dc665706a45669c4e63aad7dd5d44e2ffc557d6d1100676647dad86c6f91db18083ebf3bb5175992ae4b56e023386

Download Submit

Analysis

Sharing